Outrage Grows Over Massive US Government Hack

'This erodes confidence going forward that the federal government will be able to protect federal employees whose personal data — social security numbers, dates of birth, fingerprints — has been stolen.'

WASHINGTON, D.C. — Outrage continued to increase Friday in the wake of the massive hack of the U.S. government, an incident that puts Washington in a quandary over dealing with China, the main suspect in the attack.

Lawmakers and employee union leaders expressed disbelief over the staggering numbers affected – some 21.5 million people, including current and former government workers, applicants, contractors and spouses of those who underwent background checks for security clearances.

That number is on top of a previously disclosed 4.2 million federal employees whose records were stolen. With overlap of the two groups, the total number affected was 22.1 million, according to the Office of Personnel Management.

U.S. Senator Barbara Mikulski (D-Md.) said the disclosure "is as outrageous and unacceptable as it is devastating," adding that "this erodes confidence going forward that the federal government will be able to protect federal employees whose personal data — social security numbers, dates of birth, fingerprints — has been stolen."

The results of an investigation released Thursday show hackers accessed personal, financial and health data, in addition to fingerprints of some and information about spouses and cohabitants of employees.

The National Treasury Employees Union, which has sued over the breach, said the government's offer of three years of fraud monitoring was woefully inadequate.

"NTEU continues to be outraged that so many of our members have had their personal information compromised due to these breaches," union president Colleen Kelley said. "We will continue to pursue our lawsuit to provide lifetime credit monitoring and identity theft protection."

An update from the OPM said those affected were 19.7 million who underwent a background investigation, and 1.8 million others, mostly spouses or cohabitants of applicants for government jobs.

The massive figure adds to the gravity of the breach, which prompted a series of hearings in Congress and widespread criticism of the state of U.S. cyber-defenses.

Officials said last month that 4.2 million personnel records were breached in a separate attack affecting current, former and prospective federal employees.

An OPM statement noted that for anyone who underwent a background investigation in 2000 or afterward, "it is highly likely that the individual is impacted by this cyber breach."

OPM Director Katherine Archuleta said there was "no information to suggest any misuse" of the data, but that the government would be offering free monitoring to those affected to guard against fraud or identity theft.

Archuleta is likely to face more hostile questions from lawmakers after several stormy congressional hearings in recent weeks. She has defended her record, saying new systems she implemented helped discover the breaches.

Republican House Speaker John Boehner said Archuleta should be fired.

"It has taken this administration entirely too long to come to grips with the magnitude of this security breach," Boehner said in a statement. "I have no confidence that the current leadership at OPM is able to take on the enormous task of repairing our national security. Too much trust has been lost, and too much damage has been done."

China in focus, but not publicly

Officials declined to comment on the assertion that China was behind the massive breach, even though intelligence chief James Clapper said last month that Beijing was "the leading suspect."

Michael Daniel, cybersecurity coordinator at the White House National Security Council, said that "just because we are not doing public attribution does not mean we are not taking steps to deal with this."

James Lewis, a senior fellow at the Center for Strategic and International Studies, said the breach creates a host of political and diplomatic problems for the U.S. government.

"The issue now is why the reluctance to name China? It sends a powerful message to the Chinese if we don't confront them over this, a message that they can get away with almost anything since the Americans value trade deals above security," Lewis told AFP.

Lewis added that the breach may call into question a law that prevents the National Security Agency from protecting civilian agencies. "Agencies protected by NSA didn't lose any sensitive data. Maybe it's time to change this 1987 law," he said.

Some private-sector analysts have cited evidence pointing to China and have said the breach appears to be part of a wide-ranging intelligence operation that could gather sensitive data for recruitment, blackmail or extortion.

A Chinese foreign ministry official reiterated China's denial of involvement on Friday.

"All parties should adopt a constructive attitude on this issue. It is imperative to stop groundless accusations, (and) step up consultations to formulate an international code of conduct in cyberspace ... in the spirit of mutual respect," the spokeswoman said.